More than 600K User Accounts Exposed in DaFont Database Theft

A hacker compromised more than 600,000 users’ accounts when they stole a database operated by the font sharing site DaFont.

In early May 2017, the currently unnamed hacker stole a site database containing 699,464 usernames, email addresses, and hashed passwords after hearing of other attacks launched against it. As they told ZDNet in an interview:

“I heard the database was getting traded around so I decided to dump it myself — like I always do.”

This opportunistic malfeasant went on to explain they exploited an “easy to find” union-based SQL injection vulnerability in DaFont’s site software “mainly just for the challenge [and] training my pentest skills.”

DaFont’s website. (Source: Pearltrees)

SQL injection vulnerabilities are among the top threats confronting web applications. In fact, these types of flaws are so serious that OWASP has named injection vulnerabilities as number one to its Top 10 Project in the past. To learn more about how SQL injection works, check out this three–partseries.

Upon analyzing the database, the hacker determined that DaFont had used the broken MD5 algorithm without a salt to store users’ passwords. The party subsequently took it upon themselves to convert 98 percent of the saved passwords into plaintext. They then sent the database to ZDNet and Troy Hunt, owner of the breach notification service Have I Been Pwned. Both independently verified its stored user account information, which contained Microsoft, Google, and Apple corporate accounts as well as some accounts associated with government agencies based in the United States and the UK.

ZDNet reached out to the DaFont site’s registered owners, Rodolphe Milan and Nicolas Peton, but it has yet to receive comment.